Merge pull request #181 from Sphereon-Opensource/develop

New release

Author: nklomp

.github/workflows/build-test-on-pr.yml

@@ -23,9 +23,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20.x'
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v4
         with:
-          version: 8.15.7
+          version: 9.15.3 # TODO remove later, we are temporary dealing with a broken pnpm version in the CI container
       - run: pnpm install
       - run: pnpm build
       - name: run CI tests
@@ -41,4 +41,13 @@ jobs:
           SPHEREON_SSI_MSAL_USERNAME: ${{ secrets.SPHEREON_SSI_MSAL_USERNAME }}
           SPHEREON_SSI_MSAL_PASSWORD: ${{ secrets.SPHEREON_SSI_MSAL_PASSWORD }}
         run: pnpm test:ci
-      - run: npx codecov
+      - name: codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
+          name: codecove # optional
+          flags: unittest
+          fail_ci_if_error: true # optional (default = false)
+          #directory: ./coverage/reports/
+          #files: ./coverage1.xml,./coverage2.xml
+          verbose: true # optional (default = false)

.github/workflows/build-test-publish-on-push.yml

@@ -37,18 +37,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20.x'
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v4
         with:
-          version: 8.15.7
-#      - name: Get yarn cache directory path
-#        id: yarn-cache-dir-path
-#        run: echo "::set-output name=dir::$(yarn cache dir)"
-#      - uses: actions/cache@v2
-#        id: yarn-cache
-#        with:
-#          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-#          key: ${{ runner.os }}-yarn-2-${{ hashFiles('**/package.json') }}
-
+          version: 9.15.3 # TODO remove later, we are temporary dealing with a broken pnpm version in the CI container
       - run: pnpm install
       - run: pnpm build
       - name: run integration tests
@@ -81,18 +72,25 @@ jobs:
       - name: diff
         run: git diff
 
+      - name: Sets PREID
+        env:
+          name: "${{github.ref_name}}"
+        run: |
+          echo "PRE_ID=${name//[\/_-]/.}" >> $GITHUB_ENV
+
       - name: publish @latest when on main
         if: github.ref == 'refs/heads/main'
-        run: pnpm publish:latest
+        run: lerna publish --conventional-commits --force-publish --include-merged-tags --sync-dist-version --create-release github --yes --dist-tag latest --registry https://registry.npmjs.org
 
       - name: publish @next when on develop
         if: github.ref == 'refs/heads/develop'
-        run: pnpm publish:next
+        run: lerna publish --conventional-prerelease --force-publish --canary --sync-dist-version --no-git-tag-version --include-merged-tags --preid next --pre-dist-tag next --yes --registry https://registry.npmjs.org
 
-      - name: publish @next when on fix
+      - name: publish @next when on fix branch
         if: startsWith(github.ref, 'refs/heads/fix')
-        run: pnpm publish:next
+        run: lerna publish --conventional-prerelease --force-publish --canary --sync-dist-version --no-git-tag-version --include-merged-tags --preid fix --pre-dist-tag fix --yes --registry https://registry.npmjs.org
 
       - name: publish @unstable when on unstable branch
         if: startsWith(github.ref, 'refs/heads/feat')
-        run: pnpm publish:unstable
+        run: lerna publish --conventional-prerelease --force-publish --canary --sync-dist-version --no-git-tag-version --include-merged-tags --preid $PRE_ID --pre-dist-tag unstable --yes --throttle-size 75 --registry https://registry.npmjs.org
+

package.json

@@ -23,6 +23,8 @@
     "node": ">=18"
   },
   "resolutions": {
+    "@sphereon/ssi-types": "^0.32.1-next.161",
+    "dcql": "0.2.19",
     "node-fetch": "2.6.12"
   },
   "prettier": {
@@ -35,7 +37,6 @@
     "@types/debug": "^4.1.12",
     "@types/jest": "^29.5.12",
     "@types/node": "^18.19.39",
-    "codecov": "^3.8.3",
     "jest": "^29.7.0",
     "lerna": "^8.1.6",
     "lerna-changelog": "^2.2.0",
@@ -48,10 +49,13 @@
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
+    "ARF",
+    "EUIDW",
     "OpenID",
     "SIOP",
+    "SIOPv2",
     "Self Issued OpenID Provider",
-    "OPenId for Verifiable Presentations",
+    "OpenId for Verifiable Presentations",
     "OpenID for Verifiable Credential Issuance",
     "OAuth2",
     "SSI",

packages/callback-example/lib/__tests__/issuerCallback.spec.ts

@@ -7,6 +7,7 @@ import {
   CNonceState,
   CredentialConfigurationSupportedV1_0_13,
   CredentialIssuerMetadataV1_0_13,
+  CredentialOfferSession,
   CredentialRequest,
   IssuerCredentialSubjectDisplay,
   IssueStatus,
@@ -15,9 +16,13 @@ import {
   OpenId4VCIVersion,
   ProofOfPossession,
 } from '@sphereon/oid4vci-common'
-import { CredentialOfferSession } from '@sphereon/oid4vci-common/dist'
-import { CredentialSupportedBuilderV1_13, VcIssuer, VcIssuerBuilder } from '@sphereon/oid4vci-issuer'
-import { MemoryStates } from '@sphereon/oid4vci-issuer'
+import {
+  AuthorizationServerMetadataBuilder,
+  CredentialSupportedBuilderV1_13,
+  MemoryStates,
+  VcIssuer,
+  VcIssuerBuilder,
+} from '@sphereon/oid4vci-issuer'
 import { CredentialDataSupplierResult } from '@sphereon/oid4vci-issuer/dist/types'
 import { ICredential, IProofPurpose, IProofType, W3CVerifiableCredential } from '@sphereon/ssi-types'
 import { DIDDocument } from 'did-resolver'
@@ -47,7 +52,17 @@ async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promi
     .sign(keypair.privateKey)
 }
 
-async function verifyCallbackFunction(args: { jwt: string; kid?: string }): Promise<JwtVerifyResult<DIDDocument>> {
+const authorizationServerMetadata = new AuthorizationServerMetadataBuilder()
+  .withIssuer(IDENTIPROOF_ISSUER_URL)
+  .withCredentialEndpoint('http://localhost:3456/test/credential-endpoint')
+  .withTokenEndpoint('http://localhost:3456/test/token')
+  .withAuthorizationEndpoint('https://token-endpoint.example.com/authorize')
+  .withTokenEndpointAuthMethodsSupported(['none', 'client_secret_basic', 'client_secret_jwt', 'client_secret_post'])
+  .withResponseTypesSupported(['code', 'token', 'id_token'])
+  .withScopesSupported(['openid', 'abcdef'])
+  .build()
+
+async function verifyCallbackFunction(args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> {
   const result = await jose.jwtVerify(args.jwt, keypair.publicKey)
   const kid = result.protectedHeader.kid ?? args.kid
   const did = kid!.split('#')[0]
@@ -83,7 +98,7 @@ afterAll(async () => {
   await new Promise((resolve) => setTimeout((v: void) => resolve(v), 500))
 })
 describe('issuerCallback', () => {
-  let vcIssuer: VcIssuer<DIDDocument>
+  let vcIssuer: VcIssuer
   const state = 'existing-state'
   const clientId = 'sphereon:wallet'
 
@@ -146,10 +161,11 @@ describe('issuerCallback', () => {
 
     const nonces = new MemoryStates<CNonceState>()
     await nonces.set('test_value', { cNonce: 'test_value', createdAt: +new Date(), issuerState: 'existing-state' })
-    vcIssuer = new VcIssuerBuilder<DIDDocument>()
+    vcIssuer = new VcIssuerBuilder()
       .withAuthorizationServers('https://authorization-server')
       .withCredentialEndpoint('https://credential-endpoint')
       .withCredentialIssuer(IDENTIPROOF_ISSUER_URL)
+      .withAuthorizationMetadata(authorizationServerMetadata)
       .withIssuerDisplay({
         name: 'example issuer',
         locale: 'en-US',

packages/callback-example/package.json

@@ -19,7 +19,7 @@
     "@sphereon/oid4vci-client": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-types": "0.28.0",
+    "@sphereon/ssi-types": "^0.32.1-next.161",
     "jose": "^4.10.0"
   },
   "devDependencies": {

packages/client/README.md

@@ -110,7 +110,6 @@ console.log(accessToken);
 /**
  * {
  *   access_token: 'ey6546.546654.64565',
- *   authorization_pending: false,
  *   c_nonce: 'c_nonce2022101300',
  *   c_nonce_expires_in: 2025101300,
  *   interval: 2025101300,

packages/client/lib/AccessTokenClient.ts

@@ -116,7 +116,7 @@ export class AccessTokenClient {
 
     return {
       ...response,
-      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+      ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),
     };
   }
 
@@ -132,18 +132,7 @@ export class AccessTokenClient {
     const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
     await createJwtBearerClientAssertion(request, { ...opts, credentialIssuer });
 
-    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertAlphanumericPin(opts.pinMetadata, pin);
-      request.user_pin = pin;
-      request.tx_code = pin;
-
-      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
-      // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
-
-      return request as AccessTokenRequest;
-    }
-
+    // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW
     if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
       request.code = code;
@@ -156,6 +145,18 @@ export class AccessTokenClient {
       return request as AccessTokenRequest;
     }
 
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertAlphanumericPin(opts.pinMetadata, pin);
+      request.user_pin = pin;
+      request.tx_code = pin;
+
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
+    }
+
     throw new Error('Credential offer request follows neither pre-authorized code nor authorization code flow requirements.');
   }
 
@@ -238,6 +239,7 @@ export class AccessTokenClient {
       throw new Error('Authorization flow requires the code to be present');
     }
   }
+
   private validate(accessTokenRequest: AccessTokenRequest, pinMeta?: TxCodeAndPinRequired): void {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);

packages/client/lib/AccessTokenClientV1_0_11.ts

@@ -120,7 +120,7 @@ export class AccessTokenClientV1_0_11 {
 
     return {
       ...response,
-      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+      ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),
     };
   }
 
@@ -137,17 +137,7 @@ export class AccessTokenClientV1_0_11 {
     }
     await createJwtBearerClientAssertion(request, { ...opts, version: OpenId4VCIVersion.VER_1_0_11, credentialIssuer });
 
-    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
-      request.user_pin = pin;
-
-      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
-      // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
-
-      return request as AccessTokenRequest;
-    }
-
+    // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW
     if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
       request.code = code;
@@ -160,6 +150,16 @@ export class AccessTokenClientV1_0_11 {
       return request as AccessTokenRequest;
     }
 
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      request.user_pin = pin;
+
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
+    }
     throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
   }
 
@@ -220,6 +220,7 @@ export class AccessTokenClientV1_0_11 {
       throw new Error('Authorization flow requires the code to be present');
     }
   }
+
   private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);